As one of the top financial institutions in the world, ranking in the top 150 of the Fortune 500 in 2018, BNY Mellon understands the criticality of a scalable risk management solution for their growing business – and their in-house, Excel®-based IT Risk Management solution was not cutting it. To learn more about how BNY Mellon tackled this challenge, Resolver spoke with Christopher Cirone, Technology Risk Management and Jonathan Dong, Vice President, Technology Resilience and Control Governance at BNY Mellon.
“We quickly recognized that there was a lack of ability to scale when we were using Excel®,” said Christopher Cirone, Technology Risk Management. “It was very error-prone, and things were falling through the cracks.”
BNY Mellon serves hundreds of thousands of customers worldwide, so there isn’t any room for overlooked risks and missed opportunities. To ensure this, they began looking for a way to scale up the number of risk assessments that they could complete annually.
After reviewing several vendors, BNY Mellon ultimately chose Resolver’s RiskVision software because of the extensiveness of its capabilities. As a team that’s expected to produce, they were confident that they’d be able to do so with this solution. Additionally, the fact that they didn’t need extensive development work to get up and running was key to ensuring that they could drive adoption and build a risk culture within their organization.
The extensive automation capabilities in RiskVision will allow BNY Mellon to drastically increase the number of assessments they get done every year. Currently, they complete 100 assessments per year. Their goal is to triple or quadruple that number in 2019, mainly through the software’s ability to automate aspects of the assessment workflow.
“That will be our key win in 2019,” said Jonathan Dong, Vice President, Technology Resilience and Control Governance.
Moving forward, they hope to use the solution to automate and collect data throughout the company, reducing “assessment fatigue” by eliminating the need to ask the same questions repeatedly. One of the features that drew them to Resolver’s RiskVision software was the fact that it could do the work of three separate programs. RiskVision provides a way for BNY Mellon to use a single tool to automate their assessment process and generate the findings and risk scores. This information allows them to make data-based decisions that will positively drive results for the business.
Resolver helps the world’s leading organizations reduce the frequency and severity of negative events. Risk, security and resilience professionals use our software solutions to provide actionable insights and control operational costs.
IT and Security Professionals say that one of their biggest challenges is ensuring that their executive team has visibility into their organization’s cybersecurity realities. While responsibility for security increasingly resides in the c-suite, many executives want to rely on compliance audits alone to assure themselves that corporate and customer data is safely locked away. Often, it’s a classic hand-in-the-sand approach to risk management.
When an expensive and embarrassing breach occurs, those same executives can face serious consequences, including fines into the hundreds of millions of dollars. Organizational executives cannot rely on simple devices such as vulnerability scanners to ensure protection. No matter their size or industry, enterprises need a robust, comprehensive approach to risk management.
By moving beyond the scanner, you can automate processes to remove the burden of manipulating and making sense of data through an inefficient, manual system.
Scanning tools provide you with the IP address data tied to vulnerabilities, but they don’t relate it to higher-level functions. People have to do that. When dealing with security, people are nearly always your weakest link. The more you can rely on automation to collect, store, manage, clean, sort, and secure data, the safer your information will be. A tighter, cleaner security program will hang more of that responsibility on a fast, efficient robot and less of an error-prone human.
Scanners don’t provide you with the real-time, meaningful data you need to understand what assets these vulnerabilities are tied to, and thus, which need to be addressed.
Data is only valuable when you know how to act on it. Vulnerability scanners produce a large volume of data, but it’s often poor quality and too much to sort through, meaning you can’t easily figure out what needs shoring up and what’s probably fine. This approach leaves you trying to secure every item in the system instead of prioritizing the most critical and potentially serious ones.
By growing beyond reliance on a vulnerability scanner, you can provide this real-time data to your executives in comprehensive reports whenever they ask for it. Nobody will have to wait for all the numbers to be manipulated from Excel into a report at the month’s end anymore.
Scanners don’t tell you what to prioritize – just how to patch a vulnerability and with what patch.
An effective vulnerability management program starts with knowing what to prioritize. You can’t secure everything, and you don’t need to. But a vulnerability scanner will have you trying to do just that, potentially leaving gaping holes in the firewall while you worry over trivial vulnerabilities.
Not all vulnerability metrics matter. Some are critical, and some are not. Knowing the context of the vulnerabilities you identify allows your team to score each one according to pre-determined criteria, thus prioritizing the most important soft points in your system. Having real-time data and proper prioritization, which a vulnerability scanner doesn’t provide, will help reduce the risk of exploitation.
Your IT team needs to know what vulnerabilities should be prioritized today so they don’t get exploited tomorrow. You can’t focus on everything. So, you need to focus on the right vulnerabilities. Using a risk scoring system along with a database connector can give you ample advanced warning to patch your systems for specific, urgent vulnerabilities prior to an outbreak.
As a security team leader, you need to know how you are doing in each business unit. You have to answer questions such as: How quickly are we remediating the vulnerabilities? How many vulnerabilities have we remediated this month? Which ones are overdue for which patches? How many vulnerabilities are not getting patched within three months and/or are not meeting their internal SLAs?
Currently, you may be reporting on those questions using a manual reporting process from your scanner’s data, spreadsheets, and data manipulation, then putting together slides to show all that to your management team. It’s time consuming and dated before it hits the executive conference table.
Often, there are good reasons for why you can’t patch or patch quickly enough to meet your SLAs. Scanners may not accurately report your vulnerabilities, causing you to waste resources and time patching the same vulnerability.
Sometimes you don’t even want to patch. Take false positives for instance. Virtual IP addresses from a vulnerability scanner treats them as a separate asset where multiple “assets” are actually tied to just one asset, so you may patch both and that’s redundant.
Alternatively, multiple IP addresses could be tied to one asset, and since scanners report by IP address, they can flag multiple assets when in reality there’s only one. This approach skews the reporting, making it seem like you have more vulnerabilities than you actually do.
It’s important to focus your team on more meaningful tasks that directly impact the business and help efficiently manage risk. If you are relying on a vulnerability scanner, you and your team are probably spending a lot of time doing manual data manipulation and report creation. You could be spending that time doing something more productive such as identifying real and urgent vulnerabilities and preventing or patching them.
Get your team out of the task-based job of doing daily reporting work. Instead, put your staff members to helping the business prioritize security activities, remediate, and better understand false positives.
To be effective stewards of security, your c-suite team needs clear insight into where your threats are, how they would affect the business if exploited, and how they can enable your team to address these risks more effectively.
The time, effort, and budget required to search, find, and implement a new tool is well worth it. Don’t settle for just scanner data. It’s a manual, time-consuming method that will become less and less efficient and effective as breaches become more frequent.
Resolver helps industry-leading companies protect themselves against cyber breaches by prioritizing on a risk-based approach to threat and vulnerability management.
While relatively new to the corporate hierarchy, Chief Information Security Officers (CISOs) are becoming increasingly integral for ensuring uninterrupted business operations. Indeed, the prominence of the position has naturally corresponded to the growing reliance of technology solutions in the modern workplace.
To fulfill their principle goals of protecting and maintaining critical enterprise assets, CISOs are being tasked with a broad range of responsibilities, from cybersecurity response to data privacy and information security. It’s now common to see a CISO in charge of virtually all facets of an organization’s information risk management strategy.
There are many ways that a company’s information security can be compromised, many of them largely outside the CISOs control. With that said, the most effective CISOs keep their finger on the pulse of prevailing information technology (IT) trends and deploy solutions to help stay ahead of the most common dangers.
The increasing prevalence of cyberattacks is generally the top concern for CISOs and the drive for most of their day-to-day efforts. Few other threats pose a greater risk to a company’s revenue stream, brand value, and general operational capacity.
Take, for instance, the ubiquitous distributed denial-of-service (DDoS) attacks. DDoS attacks occur when attackers seek to disrupt a network by flooding it with traffic, congesting it with redundant requests and crippling its ability to function normally. For a customer-facing firm dealing in software solutions, such an attack can be deadly in terms of company revenue and customer satisfaction.
Even for more traditional companies that still use web services for internal operations and data storage, the heavy downtime that could result from damage to vital networks is sure to impact the organization on many levels. And such attacks are only growing in frequency, as Corero estimates that there was a 40% year-on-year increase in DDoS attacks in 2018. With an estimated average cost to enterprises of $2 million per DDoS attack, it is no wonder that CISOs fear cyberattacks more than ever in 2019.
The potential for malicious actors to access sensitive data during periods of vulnerability could also gravely impact customer trust and do near-irreparable harm to overall brand value. Take, for instance, the Equifax data breach of 2017. While the root of the vulnerability was apparently out-of-date software on a single web server, it resulted in a breach of the personal information of over 148 million customers, including sensitive data like credit card numbers, driver’s licenses, and Social Security number. While Equifax has begun recovering from the massive hit in terms of customer trust, that hasn’t saved the jobs of the company’s top information security officers. This merely illustrates the pressures and occupational dangers that CISOs face in their responsibility for the security and integrity of all aspects of company networks.
While Equifax placed the blame for the data breach on one employee for failing to patch a server, the actual situation illustrates the potential nightmare of internal company reporting structures. Despite Equifax being aware of the vulnerability, it was never patched, and the breach was not even identified for two months. Much of the blame can actually be placed on the fact that then-CSO Susan Mauldin “did not report to the CIO, but was buried underneath the Chief Legal Officer”.
Such a silo between IT and security significantly impacted the extent of the breach and prevented efforts to resolve the situation from worsening. Equifax has since fixed its organizational structure by placing the new CISO directly under the CEO, but it certainly learned this lesson the hard way. And it seems that other companies have not learned second-hand from the Equifax breach, as KrebsOnSecurity found that only five percent of the global top 100 companies lists a CISO on their executive leadership page. While each CISO faces unique challenges, the seeming need to fight for organizational attention and funding detracts from their ability to optimize networks and enterprise systems for security and risk mitigation.
Furthermore, even without any major organizational stumbling blocks, many CISOs simply find it challenging to fully staff their departments. A prolonged search for competent employees could draw resources away from important day-to-day tasks of shoring up a company’s cyber defenses and straightening out its network security processes, in addition to distracting the CISO from staying on top of new risks facing the organization.
If securing company networks from threats wasn’t already difficult enough, the arrival of the Internet of Things (IoT) is another reason why CISOs may have some sleepless nights.
Briefly, the IoT refers to a network of internet-connected devices that communicate between each other. Talk of the IoT usually extends beyond objects traditionally used to access the internet like computers and smartphones, now encompassing objects ranging from scanners to security systems and even to toasters. The widespread adoption of such IoT devices certainly makes our lives more convenient, but those working in cybersecurity are the most susceptible to drawbacks to this trend.
The downside to these expanded capabilities is that every additional IoT-enabled device brings potential security risks. Sensitive company information is gradually being shifted over to cloud storage, meaning that such networks are ripe for attack from malicious actors. Each additional access point to this information cloud represents another possible route for hackers to gain unwanted access and wreak havoc on the data integrity of the organization.
In short, the cat-and-mouse game between hackers and CISOs is still in an early stage when it comes to the IoT. This step into the unknown of massive IoT connectivity is most unnerving for CISOs, who will bear the brunt of the blame if previously unknown vulnerabilities become exploited. It is impossible to know how many vulnerabilities to data breaches and hacks may result from the increased connectivity through the IoT, and the phenomenon is new enough that data protection and risk mitigation solutions are not yet as robust as they inevitably will come to be.
Since CISOs are in charge of all aspects of IT risk management, they will likely be held responsible despite a reckless action on behalf of an employee. This outsized discrepancy between the lack of control, yet extreme risk causes the possibility of employee errors to never be far from a CISOs list of top worries.
For example, employees could fall for a phishing scam and introduce malware into the company’s network. Furthermore, the potential for employees to access company-sensitive information on mobile devices while connected to public networks raises a security nightmare for CISOs. Disgruntled employees may also choose to leak confidential information, making the complete security of company information virtually impossible. CISOs should be reviewing their organization’s information security policies on a regular basis and proactively introduce new training materials to educate employees on the risks of cybersecurity.
At the end of the day, the CISO bears the ultimate responsibility for the security and integrity of a company’s information network. Effective CISOs understand business risk on a level deeper than anyone else in the organization and are best able to understand the merits of new tools and solutions. They see better than anyone how the different departments communicate with each other and are able to propose control methods for keeping the flow of information within the organization secure. Even when unexpected disaster inevitably strikes, CISOs will have already prepared an incident response strategy that will hopefully mitigate damage and keep the company running smoothly.
No wonder the job, while stressful, is more important than ever. With such a range of critical responsibilities and the growing prevalence of cyberattacks and security vulnerabilities, CISOs have to see the big picture in terms of risk management while also navigating the day-to-day decisions regarding corporate information security.
At Resolver, we provide an integrated approach to third party risk management, capable of managing risk and security across the entire enterprise. With an understanding of the biggest information security risks facing organizations today, we offer industry-leading software in threat & vulnerability management, incident management and reporting, and IT risk and compliance, just to name a few.
When companies make their lists of priorities, where do they put risk management for IT teams?
It usually depends on how much they know about IT risks and how catastrophic they can be. Here, we’ll look at three of the most serious incident types that have brought companies into the news, and not for the right reasons.
Data collection is an inexorable part of both B2B and B2C tech. Functionalities that clients take for granted, from chat apps to GPS, require the app developer to collect information about a user’s location, social network, and more. If a developer isn’t scrupulous and exceedingly careful, some of that information can easily fall into the wrong hands.
Within the organization, BYOD policies and other such programs can be perks for employees, but often these initiatives are put in place without understanding the threat they pose to network security. Poor processes and the lack of visibility into why certain security measures are important can damage a company’s ability to secure their networks and prevent breaches. Clear communication between the IT department and the organization’s employees improves adherence to policies and better execution of security processes.
When consumers learn that a company has shared their information without their permission, bad press can hit quickly and do a lot of damage. If it turns out that the company promised not to share but shared anyway, the bad publicity can be devastating. Any protocol that can prevent illegal sharing is a wise investment. Additionally, unclear policies about using personal devices on a organization’s secure network can potentially result in security breaches and private data being leaked.
The Internet of Things, or IoT, is exploding in popularity. Commonly used consumer and medical devices are Internet-enabled, giving the average person an unprecedented level of connectivity. We can adjust our home heating before leaving work and send data from wearable heart monitors directly to our doctors. The side effect of this trend? The details of our everyday lives and most intimate habits are now vulnerable to capture.
In Singapore, hackers accessed and copies personal and health data from 1.5 million SingHealth patients. For 160,000 of these individuals, outpatient medication was among the data taken.
A mother in South Carolina had found out that her baby monitor had been hacked. She believed that an unknown third party had been using it to watch her breastfeed her child. Research revealed that the P2P cloud, which backs up data from multiple devices, is easily infiltrated with a shared password.
In the UK, a university study showed that IoT technology could be abused by end users themselves to manipulate and control members of their families or households.
It’s much easier to prevent a fire than to clean up after one. It’s vital that IT teams at IoT companies start introducing as many protections as possible, including:
It may be impossible to keep IoT customers completely safe, but a comprehensive security plan can offer the maximum degree of protection.
Not all risks to business are malicious attacks. A business’s image can still go down the tubes if a critical piece of technology fails and interrupts crucial operations.
According to digital publisher TechRadar, outages cost businesses an average of $10.8 million per incident. And it happens more than you might think – so far, nearly half of all organizations have experienced a loss of market share due to technological failure. Four out of every five organizations experience at least one such failure in an average year.
Every IT security team needs to have sufficient plans in place that if an outage does occur, you can get the system back online in a time frame that stakeholders will deem acceptable if not excellent.
The only way to do this is with comprehensive testing of all processes. End-user testing is a crucial part of any testing protocol since it’s the only way to evaluate integrated third-party services. The average website uses nine to 13 third-party services and if one of these goes down, the whole system can follow.
A testing protocol should be able to identify performance issues at the lowest level of data and at any part of any transaction. By nipping small errors in the bud, you can keep them from becoming a caution to other teams.
Both IT failures and breaches can ruin a company’s reputation and cost millions of dollars, to say nothing of the legal ramifications. The controlling of cyber risks is not optional or an extra – it’s the only way for a company to stay safe in today’s connected world.
Resolver helps the world’s leading IT departments mitigate cyber risks and prevent cyberattacks.
Effective March 31, 2019, all federally regulated financial institutions (FRFIs) in Canada must follow new reporting requirements as it pertains to technology and cybersecurity related incidents. The Office of the Superintendent of Financial Institutions (OSFI) mandates that FRFIs need to notify OSFI of the incident in a timely manner and take necessary steps to prevent the incident from occurring again.
This announcement comes shortly after the recent PIPEDA legislation came into effect on November 1, 2018.
In this case, an incident refers to a technology or cybersecurity event that has “the potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information.” Any incident with a materiality level of high or critical severity should be reported OSFI.
Lead Supervisors must be notified no later than 72 hours after an incident has occurred. Subsequent notification to OSFI about the incident must be made in writing with details about the incident. The initial report of the incident should include details like when the incident occurred, the type of incident and how severe it is, any known impact of the incident to the business, and any mitigation efforts. A full list of details to report can be found here.
After the initial report is sent, OSFI expects FRFIs to provide regular updates to fill in any gaps that were not provided in the original incident report. These updates should also include short and long-term remediation plans to contain the incident. A post-mortem incident review should also be sent to OFSI with lessons learned.
Financial institutions need to have clearly stated policies and procedures that lay out the steps that need to be taken in the event of a technology or cybersecurity related incident. Compliance with new and changing reporting requirements can be complex, but it doesn’t have to be. Resolver’s Compliance and Incident Management software helps FRFIs manage ever-changing regulatory requirements and comply with the new reporting requirements via triggered alerts sent directly to Lead Supervisors and OSFI.
*Guest post by Terry Lampropoulos*
Imagine arriving at work only to find out that none of your systems are working due to a cyberattack on your entire company. You might find it hard to believe but your organization’s Business Continuity Management (BCM) and Disaster Recovery (DR) teams are the main support structures in these situations.
Traditionally, a BC/DR plan is in place to get businesses and their respective technological infrastructures up and running after a flood, fire, hurricane, or other hazard-like event occurs. Now these teams are on the front lines of managing cybersecurity incidents.
While there is overlap between how both teams help an organization’s overall business resilience efforts, there are some distinctions between the two. The BCM arm is more focused on critical business areas that are revenue generating. The DR arm is responsible for understanding the implications of an incident on an organization’s technology and overall infrastructure.
When a cyber incident occurs, the BCM team relays relevant information about the event to the DR team and the DR team is then responsible for understanding what specific vulnerability led to the hack, executing the procedures to remediate the effects of the cyberattack, and document steps to prevent the attack from occurring again.
Managing through a cyber event, recovering a business, and regaining normal operations requires a lot of planning. In addition to documenting critical business functions, regular testing needs to occur to ensure disaster recovery groups are ready to manage these kinds of incidents. Your BCM and DR specialists will ask a lot of questions in order to try and figure out the critical applications you need when a disaster occurs, what the recovery time of these applications should look like, and also help you determine proactive workarounds to make sure that your organization can still function in the worst-case scenario.
While getting up and running is crucial for business operations, it is just as important to effectively communicate with internal and external stakeholders during a cyber event. Think about large multinational organizations that experienced well-publicized breaches in their servers over the past few years. In many cases, the public disclosure of the hacking incident came well after the hack occurred.
Unfortunately for these organizations, they experienced significant reputational damage after the fact even though they did not want this kind of incident to occur. Business Resilience teams have the unique capability of maintaining a view of an entire organization and they can advise an organization’s PR team on how to communicate hacking incidents to the public. By having documented crisis communications plans during the recovery process, it is easier for an organization to manage the public sentiments of an organization during a hacking incident.
The world we live in today is filled with cyberattacks that are well documented in the media. Organizations need to protect themselves from cyberattacks by building and maintaining resilient firewall systems, but you always need to be prepared to manage hacking incidents when everything else fails. By proactively documenting recovery plans and crisis communication strategies, less time will be spent trying to solve issues associated with cyberattacks and more time will be spent returning to normal operations.
Terry Lampropoulos is a Professor of Risk Management at Seneca College in Toronto, Canada. In addition to this, he holds the Canadian Risk Management (CRM) designation offered through the Risk and Insurance Management Society and the Associate Business Continuity Professional (ABCP) designation offered through the Disaster Recovery Institute.
